Commit 0df6fb1e authored by Igor Sheludko's avatar Igor Sheludko Committed by Commit Bot

[dict-proto] Fix ConstantInDictionaryPrototypeChainDependency

... for primitive receivers. We should use initial map taken from
constructor function as a prototype chain lookup root instead of the
receiver map.

Bug: v8:11248
Change-Id: I91fde2f1102029654c7fdd8890d265ae8bad2791
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2797281Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73769}
parent bb7b659a
......@@ -157,7 +157,19 @@ Node* PropertyAccessBuilder::FoldLoadDictPrototypeConstant(
base::Optional<ObjectRef> value =
holder.GetOwnDictionaryProperty(access_info.dictionary_index());
for (const Handle<Map> map : access_info.lookup_start_object_maps()) {
for (Handle<Map> map : access_info.lookup_start_object_maps()) {
// Non-JSReceivers that passed AccessInfoFactory::ComputePropertyAccessInfo
// must have different lookup start map.
if (!map->IsJSReceiverMap()) {
// Perform the implicit ToObject for primitives here.
// Implemented according to ES6 section 7.3.2 GetV (V, P).
Handle<JSFunction> constructor =
Map::GetConstructorFunction(
map, broker()->target_native_context().object())
.ToHandleChecked();
map = handle(constructor->initial_map(), isolate());
DCHECK(map->IsJSObjectMap());
}
dependencies()->DependOnConstantInDictionaryPrototypeChain(
MapRef{broker(), map}, NameRef{broker(), access_info.name()},
value.value(), PropertyKind::kData);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment